I've been asked an interesting and, seemingly, trivial question: "How would you protect the hosts in AWS VPC located in a different subnets by inspecting traffic between them?"

I was also assured that presently, AWS did not have a solution to this problem, as every routing table you create will contain "local" route, all traffic from all subnets within one VPC will be routed through it.

To work on this puzzle, this lab environment was provisioned:

...and answer to this dilemma is to use static routes in the instances pointing to the interfaces of the vSEC or cluster:

[root@ip-10-255-255-200 ec2-user]# route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

default 10.255.255.193 0.0.0.0 UG 0 0 0 eth0

10.255.255.128 10.255.255.201 255.255.255.192UG 0 0 0 eth0

10.255.255.192 * 255.255.255.192 U 0 0 0 eth0

169.254.169.254 * 255.255.255.255 UH 0 0 0 eth0

[root@ip-10-255-255-200 ec2-user]#

[root@ip-10-255-255-150 ec2-user]# route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

default 10.255.255.129 0.0.0.0 UG 0 0 0 eth0

10.255.255.128 * 255.255.255.192 U 0 0 0 eth0

10.255.255.192 10.255.255.140 255.255.255.192UG 0 0 0 eth0

169.254.169.254 * 255.255.255.255 UH 0 0 0 eth0

[root@ip-10-255-255-150 ec2-user]#

With Firewall Access rules set:

With NAT rules set to:

And was able to see the packet traversing firewall (10.255.255.201 and 10.255.255.140 are its interfaces):

That's interesting and very nicely demonstrated and if I am asked to do this, I'll now have a way to achieve it.

Having said that, some chaps and I are working on the design for an AWS infrastructure with a various 'zones' and Check Point firewalls to provide protection (mainly DLP) between the zones. This is being designed from the ground up with security in mind; security by design as some would call it. We have made the decision that we will have a firewall between the various VPCs while maintaining multiple subnets within a single VPC. In this way, the problem that you have solved will not exist.

When I liken the AWS environment to the traditional network model (understanding that there are important and major differences) I see the multiple subnets in a VPC a bit like the multiple VLANs on a network which are routed within layer 3 switches (usually the core) and then the inter-VPC communications to be much like those VLANs which are tagged to the Check Point(s)' multi VLAN (trunked) ports for firewalling and routing.

Of course, if inheriting an infrastructure that is already in place and having to firewall between subnets in a VPC then your solution is exactly what we'll need - thanks.

I wonder if anyone else has an opinion about which approach they might take when designing this from the ground up?

You should be able to prevent the bypass by using security groups, specifying that only communication between one that the vSEC belongs to and the ones containing instances is permitted.

Even in autoscaling DHCP scenarios, you can still bootstrap the static route allocation to the launch group making enforcement of the routing mandatory.

The challenge, as it was posited to me, was to make it work explicitly without NAT and I was told it was impossible and asked for best possible alternative of securing instances by means of host-based solutions or any other suitable means.

After making this happen, I've done some searches on this subject, but either my queries were poorly formed, or this is the only way it could presently be accomplished in AWS.

Can you verify this, before I start puffing-up and tooting my own, (and by extension, check points') horn?